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Abstract — The wireless medium contains domain-specific in- 
formation that can be used to compfement and enhance tradi- 
tional security mechanisms. In this paper we propose ways to 
exploit the fact that, in a typically rich scattering environment, 
the radio channel response decorrelates quite rapidly in space. 
Specifically, we describe a physical-layer algorithm that combines 
channel probing (M complex frequency response samples over 
a bandwidth W) with hypothesis testing to determine whether 
current and prior communication attempts are made by the same 
user (same channel response). In this way, legitimate users can 
be reliably authenticated and false users can be reliably detected. 
To evaluate the feasibility of our algorithm, we simulate spatially 
variable channel responses in real environments using the WiSE 
ray-tracing tool; and we analyze the ability of a receiver to 
discriminate between transmitters (users) based on their channel 
frequency responses in a given office environment. For several 
rooms in the extremities of the building we considered, we have 
confirmed the efficacy of our approach under static channel con- 
ditions. For example, measuring five frequency response sampfes 
over a bandwidth of 100 MHz and using a transmit power of 
100 mW, vaiid users can be verified with 99% confidence white 
rejecting faise users with greater than 95% confidence. 



I. Introduction 

As wireless devices become increasingly pervasive and 
essential, they are becoming both a target for attack and 
the very weapon with which such an attack can be carried 
out. Traditional high-level computer and network security 
techniques can, and must, play an important role in combating 
such attacks, but the wireless environment presents both the 
means and the opportunity for new forms of intrusion. The 
devices that comprise a wireless network environment are low- 
cost commodity items that are easily available to potential 
intruders and also easily modifiable for such intrusion. In 
particular, wireless networks are open to intrusion from the 
outside without the need for a physical connection and, as a 
result, techniques which would provide a high level of security 
in a wired network have proven inadequate in a wireless 
network, as many motivated groups of students have readily 
demonstrated [l]-[3]. 

Although conventional cryptographic security mechanisms 
are essential to securing wireless networks, these techniques 
do not directly leverage the unique properties of the wireless 
domain to address security threats. The physical properties 
of the wireless medium are a powerful source of domain- 
specific information that can be used to complement and 
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enhance traditional security mechanisms. In this paper, we 
propose that a cross-layer approach can be used to augment 
the security of wireless networks. In particular, we believe 
that the nature of the wireless medium can be turned to the 
advantage of the network engineer when trying to secure 
wireless communications. The enabling factor in our approach 
is that, in the rich multipath environment typical of wireless 
scenarios, the response of the medium along any transmit- 
receive path is frequency-selective (or in the time domain, 
dispersive) in a way that is location-specific. This means: 

1) The channel can be specified by a number of complex 
samples either in the frequency domain (a set of complex 
gains at a set of frequencies) or the time domain (a set 
of impulse response samples at a set of time delays). 

2) Such sets of numbers decorrelate from one transmit- 
receive path to another if the paths are separated by the 
order of an RF wavelength or more. 

Using the uniqueness of the channel between two locations, we 
believe it is possible to establish new forms of authentication 
that include information available at the physical layer. Rather 
than rely solely on higher-layer cryptographic mechanisms, 
wireless devices can authenticate themselves based upon their 
ability to produce an appropriate signal at the recipient. 

While using the physical layer to enhance security might 
seem to be a radical paradigm shift for wireless systems, we 
note that this is not the first time that multipath and advanced 
physical layer methods have proven advantageous. Specifi- 
cally, we are encouraged in our belief by two notable parallel 
paradigm shifts in wireless systems: (1) code division multiple 
access (CDMA) systems [4], where the use of Rake processing 
transforms multipath into a diversity-enhancing benefit; and 
(2) multiple-input multiple-output (MIMO) antenna techniques 
[5], which transform scatter-induced Rayleigh fading into a 
capacity-enhancing benefit. 

In order to support the use of physical layer information 
for enhancing wireless security, it is necessary to understand 
the degree to which physical layer measurements can serve 
to discriminate between transmitters, and then to place this 
functionality in the context of a greater end-to-end security 
framework. In this paper, we tackle the first of these problems 
by providing an initial investigation into the ability of a 
receiver to distinguish between transmitters. 

We begin the paper in Section [TT] by providing an overview 
of our proposed PHY-layer authentication service. We then 
examine the possibilities of achieving physical-layer authenti- 
cation using a hypothesis testing framework in Section [TTTJ In 
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Fig. 1. The adversarial multipath environment involving multiple scattering 
surfaces. The transmission from Alice (A) to Bob (B) experiences different 
multipath effects than the transmission by the adversary, Eve (E). 

order to validate our ideas, we have performed simulations 
using the WiSE propagation tool, and our results are in 
Section [IV] Our objective is to understand the degree to which 
physical layer authentication is possible, and hence our initial 
performance studies reported in this paper are for a benign, 
static multipath environment. We wrap up the paper in Section 
[V]by providing concluding remarks and highlighting important 
areas for further investigation. 

II. Problem Overview 

Traditionally, authentication involves the verification of an 
entity's identity. In the context of physical layer authentication, 
however, we are not interested in identity, per se, but rather are 
interested in recognizing a particular transmitter device. The 
ability to distinguish between different transmitters would be 
particularly valuable in real wireless systems, as it would help 
prevent spoofing attacks, where one wireless device claims 
to be another wireless device. Currently, spoofing attacks are 
very easy to launch in many wireless networks. For example, 
in commodity networks, such as 802.11 networks, it is easy 
for a device to alter its MAC address by simply issuing an 
ifconf ig command. This weakness is a serious threat, and 
there are numerous attacks, ranging from session hijacking 
[6] to attacks on access control lists [2], that are facilitated by 
the fact that an adversarial device may masquerade as another 
device. 

Here, we seek to develop the notion of physical-layer 
authentication services by making use of the complexity asso- 
ciated with multipath propagation. Throughout the discussion, 
we shall borrow from the conventional terminology of the 
security community by introducing three different parties: 
Alice, Bob and Eve. For our purposes, these three entities 
may be be thought of as wireless transmitters/receivers that are 
potentially located in spatially separated positions, as depicted 
in Figure Q] Our two "legal" protagonists are the usual Alice 
and Bob, and for the sake of discussion throughout this paper, 
Alice will serve as the transmitter that initiates communication, 
while Bob will serve as the intended receiver. Their nefarious 
adversary, Eve, will serve as an active opponent who injects 
undesirable communications into the medium in the hopes of 
impersonating Alice. 

Our security objective, broadly speaking, is to provide 
authentication between Alice and Bob, despite the presence 



of Eve. Authentication is traditionally associated with the 
assurance that a communication comes from a specific entity 
[7]. Returning to our communication scenario, this objective 
may be interpreted as follows. Since there is a potential 
adversary, Eve, who is within range of Alice and Bob, and who 
is capable of injecting her own signals into the environment to 
impersonate Alice, it is desirable for Bob to have the ability 
to differentiate between legitimate signals from Alice and 
illegitimate signals from Eve. He therefore needs some form 
of evidence that the signal he receives did, in fact, come from 
Alice. 

In a multipath environment, the property of rapid spatial 
decorrelation can be used to authenticate a transmitter. To 
illustrate this, let us return to Figure [T] and consider a simple 
transmitter identification protocol in which Bob seeks to verify 
that Alice is the transmitter. Suppose that Alice probes the 
channel sufficiently frequently to assure temporal coherence 
between channel estimates and that, prior to Eve's arrival, 
Bob has estimated the Alice-Bob channel. Now, Eve wishes 
to convince Bob that she is Alice. Bob will require that 
each information-carrying transmission be accompanied by 
an authenticator signal. The channel and its effect on a 
transmitted signal between Alice and Bob is a result of the 
multipath environment. Bob may use the received version of 
the authenticator signal to estimate the channel response and 
compare this with a previous record for the Alice-Bob channel. 
If the two channel estimates are "close" to each other, then 
Bob will conclude that the source of the message is the same 
as the source of the previously sent message. If the channel 
estimates are not similar, then Bob should conclude that the 
source is likely not Alice. 

There are several important issues related to such a pro- 
cedure that should be addressed before it can be a viable 
authentication mechanism. First is the specification of the 
authenticator signal that is used to probe the channel. There are 
many standardized techniques to probe the channel, ranging 
from pulse-style probing to multi-tonal probing [8], and we 
may use these techniques to estimate the channel response. 
Regardless of what probing method is employed, the channel 
response can be characterized in the frequency domain, and 
throughout this paper we will represent our channels in that 
domain. 

Next, at the heart of our idea, we use the fact in a richly 
scattered multipath environment (typical of indoor wireless en- 
vironments) it is difficult for an adversary to create or precisely 
model a waveform that is transmitted and received by entities 
that are more than a wavelength away from the adversary. 
The difficulty of an adversary to predict the environment is 
supported by the well-known Jakes uniform scattering model 
[9], which states that the received signal rapidly decorrelates 
over a distance of roughly half a wavelength, and that spatial 
separation of one to two wavelengths is sufficient for assuming 
independent fading paths. The implication of such a scattering 
model in a transmitter identification application remains to 
be tested, and one of the objectives behind this study is to 
examine the utility of a typical indoor multipath environment 
for discriminating between Alice-Bob and Eve-Bob channels. 
It should also be noted that the multipath channel will change 
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with time due to both terminal mobility and changes in the 
environment. As mentioned earlier, in practice it will be 
necessary to guarantee the continuity of the authentication 
procedure by probing the channel at time intervals less than 
the channel's coherence time. However, even before issues 
of temporal variability can be brought into the picture, it is 
necessary to first examine the ability to distinguish between 
transmitters in a static multipath environment. This paper 
examines the ability to authenticate transmitters in such an 
environment, and serves to illustrate the potential for new 
forms of physical layer security. 

III. Analysis 

In this section, we provide a formulation of physical layer 
authentication as a hypothesis testing problem. 

A. System Model 

We assume that Bob first measures and stores the frequency 
response of the channel connecting Alice with him. Though 
the true channel response is Hab(J), Bob stores a noisy 
version, Hab{J), due to his receiver noise. After a while, 
he has to decide whether a transmitting terminal is still 
Alice, his decision being based on a noisy measured version, 
H t (f), of that terminal's channel response to Bob (the true 
response being #*(/)). By sampling Hab{J) and H t (f), 
f S (f - W/2,f a + W/2], Bob obtains two vectors H_ AB 
and H t , 
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where the elements of vector A = [Ai , Am] t are samples 
from A{f). More specifically, A m = A(f Q - W/2 + mAf), 
rn = 1, • • • , M, where A/ = W/M; M is the sample size; 
W is the measurement bandwidth; f a is the center frequency 
of the measurement; and all elements of N_ 1 and N_ 2 are i.i.d 
complex Gaussian noise samples CN(0, a 2 ). Considering the 
fact that the phase of Bob's receiver local oscillator (LO) can 
change between one measurement and another, we introduce 
4>i and 4>2 £ [0, 2ir) to represent measurement errors in the 
phase of the channel frequency response. 

B. Hypothesis Testing 

Bob uses a simple hypothesis test [10] to decide if the 
transmitting terminal is Alice or a would-be intruder, e.g., Eve. 
The null hypothesis, TLq, is that the terminal is not an intruder, 
i.e. the claimant is Alice; and Bob accepts this hypothesis if 
the test statistic he computes, L, is below some threshold, k. 
Otherwise, he accepts the alternative hypothesis, Hi, that the 
claimant terminal is someone else. 
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The test statistic is chosen to be 
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The minimization over the phase <fi is necessary to account 
for measurement errors in the phase of the frequency response, 
<f>i and 02- Without this adjustment by Bob, the transmitting 
terminal can be rejected even if it is in fact Alice. It is easy 
to show that the minimizing value of 4> is 
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For the sake of analytical tractability, we will use for </>* 
the value corresponding to a noiseless channel (HAsif) = 
H A B(f) and H t (t) = H t {f))\ for the high-SNR conditions 
where the system must operate, this is a very reasonable 
approximation. 

Subject to this approximation, it is easy to show that, when 
the transmitting terminal is Alice, the test statistic L is a chi- 
square random variable with 2M degrees of freedom [11], 



i.e., 
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where n rm and n; m are i.i.d Gaussian variables N(0,a 2 ). 
When the transmitting terminal is Eve, however, L becomes a 
non-central chi-square variable with a non-centrality parameter 
ULi i-e., 
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where A/i* m and Ah* m are the real and imaginary part of 
(HEBm — HABme^ ), respectively, with <p* given by ©, 

and [l L = ±z Y,m=l I H EBm ~ H A Brne : >' P * \ 2 ■ 

We define the rejection region for Ho as L > k, where k is 
the threshold. Thus, the "false alarm rate" (or Type I error) is 
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P Ho (L>k) = l-F xl Jk), 
and the "miss rate" (or Type II error) is 



(3 = P Hl (L < k) = 



(k), 



(9) 
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where Fx(-) is the CDF of the random variable X. For a 
specified a, the threshold of the test is k — F, (1 — a), 

and the miss rate is [3 — F 2 (F~ 2 (1 — a)), which 

A,2Af ltIL X2M 

decreases with /i^. More specifically, with a fixed, j3 rises 
with a 2 (because k does) and falls with J2m=i I HEBm — 
fl A n,„' r ' I 2 - 



IV. Simulation and Numerical Results 

A. Simulating the Transfer Functions 

In order to test the proposed scheme, it is necessary to model 
not only "typical" channel responses, but the spatial variability 
of these responses. Only in that way can we discern the success 
in detecting would-be intruders like Eve. To that end, we 
make use of the WiSE tool, a ray-tracing software package 
developed by Bell Laboratories [12]. One input to WiSE 
is the 3-dimensional plan of a specific building, including 



4 



walls, floors, ceilings and their material properties. With this 
information, WiSE can predict the rays at any receiver from 
any transmitter, including their amplitudes, phases and delays. 
From this, it is straightforward to construct the transmit- 
receive frequency response over any specified interval. 

We have done this for one particular office building, for 
which a top view of the first floor is shown in Fig. [2] This 
floor of this building is 120 meters long, 14 meters wide and 
4 meters high. For our numerical experiment, we placed Bob 
in the hallway (the filled-in circle) at a height of 2 m. For the 
positions of Alice and Eve, we considered four rooms at the 
extremities of the building (shown shaded). For each room, we 
assumed Alice and Eve both transmitted from a height of 2 
m, each of them being anywhere on a uniform horizontal grid 
of points with 0.2-meter separations. With N s grid points in 
a room, there were N S (N S — l)/2 possible pairs of Alice-Eve 
positions. For Rooms 1, 2, 3 and 4, the numbers of grid points 
were N s = 150, 713, 315 and 348, respectively. For each 
Alice-Eve pair, (1) WiSE was used to generate the Alice-Bob 
and Eve-Bob channel responses (Hab(J) and Hpsif))', and 
(2) the hypothesis test described above was used to compute 
for a specified a. The set of all /3-values in a room were used to 
compute a room-specific mean, 0, for each of several selected 
combinations of bandwidth (W), number of tones (M) and 
transmit power (Pt)- 

B. Transmit Power and Receiver Noise 

Assume that, in conjunction with WiSE, we obtain the var- 
ious transfer functions as dimensionless ratios (e.g., received 
Zs-field/transmitted E-field). Then the proper treatment of the 
noise variance, a 2 , in the hypothesis test is to define it as the 
receiver noise power per tone, Pn, divided by the transmit 
power per tone, Pt /M, where Pt is the total transmit power. 
Noting that Pjy = nTNpb, where kT is the thermal noise 
density in mW/Hz, Np is the receiver noise figure, and b is 
the measurement noise bandwidth per tone in Hz, we can write 

2 _ KTN F b _ M 

- - y 



0.2 m, 
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P T /M 

where Pt is in mW, T — Pt / Pn and we will henceforth refer 
to r by its decibel value. 

C. Simulation Results 

In the simulations, we set a = 0.01, /o = 5 GHz, Np = 10, 
and T = 90, 100, 110, 120 dB, which may be viewed as 
combinations of b = 2.5 MHz and P T = 0.1, 1, 10, 100 
mW, respectively. As noted earlier, we place Alice and Eve on 
dense grids in each of four rooms at the corners of a particular 
building, with Bob in the hallway, Fig. [2] 

We obtain a miss rate for each Alice-Eve pair, and then 
calculate the mean value for each room with M = 1 ~ 10 
and W — 0.05 ~ 0.5 GHz. The results verify the utility of our 
algorithm and show that, if Pp = 100 mW, most values of 
are below 0.05, even at the farthest corners of the building. 

Figures |3]|6] show our computed results for Rooms 1-4, re- 
spectively. They show that, in terms of minimizing 0, increas- 
ing transmit power can be most beneficial, while increasing the 
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Fig. 2. System topology assumed in the simulations. Bob is located at [45.6, 
6.2, 3.0] m in a 120 m X 14 m X 4 m office building. Alice and Eve are 
located on dense grids at a height of 2 m. The sizes of the grids are N s = 150, 
713, 315, and 348, respectively, for Room 1, 2, 3 and 4. 



bandwidth and number of tones has less impact. In all cases, 
there is little benefit (or even a deficit) in increasing M beyond 
~ 5; and in most cases, there is little benefit in increasing W 
beyond ~ 100 — 200 MHz. This finding, however, applies to 
the case where there are no temporal variations in the levels 
or shapes of the transfer functions, a topic we discuss in the 
last section. 

Finally, the figures show the effects of distance (path 
length), which influences the per-tone signal-to-noise ratios 
at Bob's receiver. Rooms 3 and 4, which are farther from 
Bob than Rooms 1 and 2, have clearly poorer performance in 
rejecting Eve. Since the four rooms are at the building extrem- 
ities, we can assume that this set of results lower-bounds the 
capabilities of our PHY-layer authentication algorithm. 

V. Conclusion & Future Work 

We have described and studied a physical layer technique 
for enhancing authentication in a wireless in-building en- 
vironment. The technique uses channel frequency response 
measurements and hypothesis testing to discriminate between 
a legitimate user (Alice) and a would-be intruder (Eve). The 
study used the ray-tracing tool WiSE to generate realistic spa- 
tially varied responses, and results were obtained for several 
most-distant (i.e., worst-case) rooms of one particular building. 
They confirm the efficacy of the algorithm for realistic values 
of the measurement bandwidth (e.g., W ~ 100 MHz), number 
of response samples (e.g., M < 5) and transmit power 
(e.g., Pt ~ 100 mW). Computed results not shown here 
(but suggested by the left side of Fig. 3a) indicate good 
performance down to W — 20 MHz, so that the method can 
be used within bandwidths typical of existing WLANs. 

Moving forward, further investigation is needed to test other 
buildings and to look at multiple Bob locations within the 
same building, thereby establishing required power levels for 
a wider class of cases. Another important topic is the temporal 
variations of the measured channel responses, e.g., variations 
due to movements within the building, slow time changes 
in the transmit power and/or receiver noise level, etc. Our 
preliminary investigations in [13] have confirmed the efficacy 
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Fig. 3. Results for Room 1. Alice and Eve are placed within Room 1, while 
Bob is located in the center of the building, as depicted in Fig. [2] For each 
combination of Alice and Eve locations, the corresponding channel responses 
to Bob were used to estimate the miss rate. The average miss rate for Room 
1, j3, is reported as: (a) a function of bandwidth (W) for fixed number of 
tones (M); and (b) as a function of M for fixed W. 



of our approach in time-variant channels and showed that the 
temporal variations even improve the performance in some 
cases. Finally, as part of our ongoing efforts, we are work- 
ing to integrate physical layer authentication into a holistic 
cross-layer framework for wireless security that will augment 
traditional "higher-layer" network security mechanisms with 
physical layer methods. 
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Fig. 5. The average miss rate, /3, for Room 3, is reported as: (a) a function Fig. 6. The average miss rate, (3, for Room 4, is reported as: (a) a function 
of bandwidth (W) for fixed number of tones (M); and (b) as a function of of bandwidth (W) for fixed number of tones (M); and (b) as a function of 
M for fixed W. M for fixed W. 



